Privacy Policy

When you upload an image or video, it is immediately processed on our servers:

• Images are resized to a maximum of 1 080 px, converted to WebP, and stripped of all EXIF metadata (location, device info, timestamps).
• Videos are transcoded to H.264 / AAC in an MP4 container.
• A thumbnail is generated for preview purposes.
• The original file is permanently deleted from our storage immediately after processing is complete. It is never backed up, archived, or retained in any form.

Only the optimised version and thumbnail are stored in Cloudflare R2 object storage, located in data centres within the region you select (default: US-East).

Optimised media is kept according to your plan:

Expired files are deleted daily by an automated cleanup job. You can also delete any file manually via the dashboard at any time.

We store the following account information to operate the service:

• Email address and display name (from your OAuth provider)
• Profile picture URL (served from your OAuth provider's CDN)
• Connected social platform handles and OAuth access tokens and refresh tokens, encrypted at rest before storage
• Scheduled post captions and target platforms
• Referral codes and reward history

We do not sell, rent, or share your personal data with third parties for advertising purposes.

We use administrative, technical, and organizational safeguards designed to protect personal information and sensitive data used to provide Sprkly.

• Encryption in transit: Sprkly is served over HTTPS/TLS to protect data transmitted between your browser and our service.
• Encryption at rest: OAuth access tokens and refresh tokens for connected platforms, including Google/YouTube, are encrypted before storage using AES-256-GCM. Tokens are decrypted only when needed to connect, refresh, publish, delete, or verify content on your behalf.
• Secret management: API keys, OAuth client secrets, signing secrets, and token-encryption keys are stored separately from application code in protected environment secrets and are not shipped in client-side application bundles.
• Least-privilege access: Access to production systems and stored user data is restricted to authorized personnel and service processes that need access to operate, secure, debug, or support the service.
• Media protections: Original uploads are deleted after processing. Optimised media and thumbnails are stored in Cloudflare R2 and accessed through application-controlled URLs. Metadata such as EXIF location and device information is stripped from processed images.
• Monitoring and incident response: We monitor service health and errors, investigate suspected unauthorized access, and will notify affected users or authorities when legally required.

If you connect a YouTube channel, Sprkly requests only the Google OAuth scopes needed for YouTube scheduling and publishing, such as YouTube upload and YouTube read-only channel scopes. We use this data to authenticate your channel, display connected-channel information, upload scheduled videos or Shorts, refresh expired access tokens, and record publishing results.

We do not sell Google user data, use it for advertising, or transfer it except as needed to provide Sprkly's user-facing features, comply with law, prevent abuse, or protect the service. You can disconnect your YouTube account or delete your Sprkly account to revoke Sprkly's stored access, and you can also revoke access from your Google Account permissions page.

Sprkly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Cloudflare R2 / D1 — file storage and database, US-East region by default.
• Stripe — payment processing. We only store the Stripe Payment Intent ID; your card details are never on our servers.
• OAuth providers (Google, etc.) — used for sign-in. We receive only the scopes you explicitly grant.

You can delete your account at any time from Settings → Account. This permanently removes:

• Your account record and all associated data
• All media files (optimised versions and thumbnails) from Cloudflare R2
• All scheduled posts, referral records, and credit purchase history

Deletion is irreversible and is completed within 48 hours. Stripe records are subject to Stripe's own retention policies for financial compliance purposes.

To export a copy of your data before deleting, email privacy@sprkly.app.

We use a single session cookie for authentication (HttpOnly, Secure, SameSite=Lax). We do not use third-party tracking cookies or behavioural advertising scripts.

Basic anonymised usage metrics (page views, error rates) are collected via Cloudflare Analytics, which does not use cookies and does not track individuals across sites.

Questions about this policy or your data? Email privacy@sprkly.app. We respond within 5 business days.